Frontend / backend

It seems that all my clients (website, mobile, backend) have to share the same token (project's token). Is there a way to say this event is sure because it has been sent by the backend? I mean what guarantee me this data hasn't been sent by someone who retrieved the token from the frontend JS snippet? I’m concerned about calls to track_charge() for example.

4 replies

It is correct that your token is public, however in my 2+ years at Mixpanel I have never seen malicious events get sent to a project. That being said, if you want to confirm that specific data is sent only from your backend, you can add a filter to your report to only include events from a back-end mixpanel library.

It is also worth mentioning that while a token is public, your secret is private and available only to you, which is required for exports of any kind.

Is this something that you are observing in your project? If so, I’d want to learn more about what you are seeing so we can create a plan to prevent this, figure out why it may be happening, or explore whether you are seeing bot activity that could be removed.

If this is preventative, I would recommend that you use additional property filters that you know are only getting sent from your team. Maybe there is a unique property name or ID that you are sending that would only be known to your and your team.

Let me know how that sounds! Also, I confirmed that none of my responses have been marked as best answer and I will keep an eye on this thread to make sure that you get a timely response!

Cookie policy

Cookie settings

We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.